Data protection authorities in Europe are to come under closer scrutiny over the way they’re enforcing the General Data Protection Regulation (GDPR).
Following a complaint, the European Commission has ordered national authorities to carry out reviews every two months of how their large-scale investigations into big tech firms under their jurisdiction are progressing.
These reviews will be required to include ‘key procedural steps taken and dates’, ordering the authorities to log their actions and how long each stage of the investigation is taking, effectively requiring them to demonstrate that they’re actually making progress.
The results of the reviews will be ‘strictly confidential’, although the specific kinds of data received will be published by the Commission.
The new ruling follows concerns put to the EU Ombudsman in September 2021 by the rights group the Irish Council for Civil Liberties (ICCL), and followed up with a formal complaint two months later.
Last December, the EU Ombudsman recommended that the Commission monitor the progress of all big tech cases that fall under the responsibility of the Irish Data Protection Commission, and this is now being applied to all large-scale cases across Europe.
“The European Commission’s new commitment should transform Europe’s data and digital enforcement. Previously, big cases lay dormant for years,” says Dr Johnny Ryan, ICCL senior fellow.
“Now, we should see acceleration in investigation and enforcement, and it will be clear where the European Commission needs to take swift action against Member States that fail to apply the GDPR. This heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech.”
There has been discontent for years about the way that GDPR is enforced across Europe. Companies are regulated in the country in which they’re headquartered, meaning that Ireland – home to Meta’s European operations, amongst others – has a particularly important role.
However, the Irish Data Protection Commission (DPC) has come under increasing fire for the sluggishness of its investigations, with the European Court of Justice accusing it of ‘persistent administrative inertia’.
Many investigations have dragged on for years. A complaint against Google and adtech firm IAB Data made in 2018 is still under investigation, despite having been described by the ICCL as ‘the largest data breach ever’.
And the DPC has also frequently been accused of treating big tech firms too leniently, with the European Data Protection Board (EDPB) recently ordering the DPC to carry out new investigations covering all of Facebook and Instagram’s data processing operations, and to fine the firm €390 million for GDPR violations.